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What is SSL/TLS? 




Terminology 



SSL: Secure Sockets Layer 
Proposed by Netscape 

■ SSLv2: 1995 

■ SSLv3: 1996 

TLS: Transport Layer 
Security 

IETF Standardization of SSL 

■ TLSvl.0 = SSLv3: 1999 

■ TLSvl.l: 2006 

■ TLSvl.2: 2008 



HTTPS: HTTP (Hypertext 
Transport Protocol) over SSL 
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Application 



Presentation 



•Application to handle data 
• HTTP, FTP, SSH, SMTP, SNMP, 



• Data representation, encryption 

•TLS (Transport Layer Security)/ SSL (Secure Sockets Layer) 



OSI 

Network 
Protocol 
Stack 



Session 



» Managing sessions 



Transport 



• End-to-end connections, reliability, flow control 

•TCP (Transport Control Protocol), UDP (User Datagram Protocol) 



Network 



'Logical addressing 
'IPv4, IPv6 



Data Link 



• Physical addressing 
•802.3 (Ethernet) 



Physical 



• Media, signal, and binary transmission 
•802.3 (Ethernet), 802.11 (Wireless) 



Web applications 



Web browsers 



[ HTML 


• forms, JavaScript, ... 


HTTP 


• cookies 
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TLS 





TCP 




(IPsec) 



Ethernet 





Web servers 





HTML 



HTTP 



TLS 



TCP 



•static files or CGI programs (PHP, Java, C#) 
• databases, XML web services 



cookies 




(IPsec) 



Ethernet 



Security goals of TLS 



Provides authentication based on public key certificates 

■ server-to-client (always) 

■ client-to-server (optional) 

Provides confidentiality and integrity of message transmission 



But only protects confidentiality if authentication is correct. 



Certificates 



Digital signatures: 

■ A user signs a message 
using her private key. 

■ Anyone holding a copy of her 
public key can verify her 
message. 

X.509 certificates are used 
to certify that a public key 
belongs to a particular entity. 

Certificate authorities (CAs) 
sign users' public keys. 
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www.google.com.au 

Identity verified 



Permissions 



Connection 



□ 



The identity of this website has been 
verified by Google Internet Authority. 

Certificate Information 



Your connection to www.google.com.au is 
encrypted with 128-bit encryption. 

The connection uses TLS 1.1. 

The connection is encrypted using 
RC4_128, with SHA1 for message 
authentication and ECDHE_ECDSA as the 
key exchange mechanism. 

Site information 

You first visited this site on May 10, 
2013. 



What do these mean? 



G 



Google S 



Certificates 



LJ Equifax Secure Certificate Authority 
■-► Q Google Internet Authority 



; . google. com 



Certificate: 
Data: 
Version: 3 (0x2) 
Serial Number: 

17:58:c3:a6:00:01:00:00:86:50 
Signature Algorithm: shalWithRSAEncryption 



"One of 650+ organizations trusted by 

your browser claims this public key 
belongs to yoursite.com and (probably) 

paid us some money." 
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OK 



Aouavj Auinoniy i\ey laenimer: 

keyid:BF:C0:30:EB:F5:43:ll:3E:67:BA:9E:91:FB:FC:6A:DA:E3:6B:12:24 

X509v3 CRL Distribution Points: 

URI:http://www.gstatic.com/GooglelnternetAuthority/GooglelnternetAuthority.crl 



TLS authentication using certificates 



Server creates 

public key/ private 

key pair 



Certificate authority 

(CA) creates 

certificate for 

server's public key 



Server sends 

certificate in TLS 

handshake 



Server uses private 

key to sign 

messages in TLS 

handshake 






Client 

authenticates 

server's TLS 

handshake 



Client verifies 

server 

certificate using 

CA certificate 



Client receives 

server's 

certificate 



Client installs 

CA's public key 

in browser 



Italics mean event happens once, before any connections. 



What is TLS? 



In reality: 

5 protocol versions 

vast array of standards 

many implementations! 

300+ combinations of 
cryptographic primitives 

different levels of security 

different modes of 
authentication 

additional functionality: 

■ alerts & errors 

■ session resumption 

■ renegotiation 

■ compression 



Protocol Support 
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SSL 

v3.0 
1996 



TLS 

v1.0 
1999 



TLS 

v1.1 
2006 



TLS 

v1.2 
2008 



https://www.trustworthyinternet.org/ssl-pulse/ May 7, 2013 



The current approved version of TLS is version 1.2, which is specified in: 

RFC 5246: "The Transport Layer Security (TLS) Protocol Version 1.2". 
The current standard replaces these former versions, which are now considered obsolete: 

RFC 2246: "The TLS Protocol Version 1.0". 

RFC 4346: "The Transport Layer Security (TLS) Protocol Version 1.1". 
as well as the never standardized SSL 3.0: 

RFC 6101: "The Secure Sockets Layer (SSL) Protocol Version 3.0". 
Other RFCs subsequently extended TLS. 
Extensions to TLS 1.0 include: 

RFC 2595: "Using TLS with IMAP, P0P3 and ACAP". Specifies an extension to the IMAP, P0P3 and ACAP services that allow the server and client to use transport-layer 

security to provide private, authenticated communication over the Internet. 

RFC 2712: "Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)". The 40-bit cipher suites defined in this memo appear only for the purpose of 

documenting the fact that those cipher suite codes have already been assigned. 

RFC 2817: "Upgrading to TLS Within HTTP/1.1", explains how to use the Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing 

TCP connection. This allows unsecured and secured HTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443). 

RFC 2818: "HTTP Over TLS", distinguishes secured traffic from insecure traffic by the use of a different 'server port'. 

RFC 3207: "SMTP Service Extension for Secure SMTP over Transport Layer Security". Specifies an extension to the SMTP service that allows an SMTP server and client 

to use transport-layer security to provide private, authenticated communication over the Internet. 

RFC 3268: "AES Ciphersuites for TLS". Adds Advanced Encryption Standard (AES) cipher suites to the previously existing symmetric ciphers. 

RFC 3546: "Transport Layer Security (TLS) Extensions", adds a mechanism for negotiating protocol extensions during session initialisation and defines some 

extensions. Made obsolete by RFC 4366. 

RFC 3749: "Transport Layer Security Protocol Compression Methods", specifies the framework for compression methods and the DEFLATE compression method. 

RFC 3943: "Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)". 

RFC 4132: "Addition of Camellia Cipher Suites to Transport Layer Security (TLS)". 

RFC 4162: "Addition of SEED Cipher Suites to Transport Layer Security (TLS)". 

RFC 4217: "Securing FTP with TLS". 

RFC 4279: "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)", adds three sets of new cipher suites for the TLS protocol to support authentication based 

on pre-shared keys. 
Extensions to TLS 1.1 include: 

RFC 4347: "Datagram Transport Layer Security" specifies a TLS variant that works over datagram protocols (such as UDP). 

RFC 4366: "Transport Layer Security (TLS) Extensions" describes both a set of specific extensions and a generic extension mechanism. 

RFC 4492: "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)". 

RFC 4507: "Transport Layer Security (TLS) Session Resumption without Server-Side State". 

RFC 4680: "TLS Handshake Message for Supplemental Data". 

RFC 4681: "TLS User Mapping Extension". 

RFC 4785: "Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)". 

RFC 5054: "Using the Secure Remote Password (SRP) Protocol for TLS Authentication". Defines the TLS-SRP ciphersuites. 

RFC 5081: "Using OpenPGP Keys for Transport Layer Security (TLS) Authentication", obsoleted by RFC 6091. 
Extensions to TLS 1.2 include: 

RFC 5746: "Transport Layer Security (TLS) Renegotiation Indication Extension". 

RFC 5878: "Transport Layer Security (TLS) Authorization Extensions". 

RFC 6091: "Using OpenPGP Keys for Transport Layer Security (TLS) Authentication". 

RFC 6176: "Prohibiting Secure Sockets Layer (SSL) Version 2.0". 

RFC 6209: "Addition of the ARIA Cipher Suites to Transport Layer Security (TLS)". 
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Components of TLS 




Crypto 
primitives 



• RSA, DSA, 
ECDSA 

Diffie-Hellman, 
ECDH 

•HMAC 

•MD5,SHA1, 
SHA-2 

• DES, 3DES, RC4, 
AES 



Ciphersuite 
details 



• Data structures 

• Key derivation 

• Encryption 
modes, IVs 

•Padding 
•Compression 



Protocol 
"framework" 



• Alerts & errors 

• Certification / 
revocation 

• Negotiation 

• Renegotiation 
•Session 

resumption 



Libraries 



• OpenSSL 
•GnuTLS 
•SChannel 
•JavaJSSE 



• Web browsers: 
Chrome, Firefox, 
IE, Safari 

• Web servers: 
Apache, IIS, 

Application 
SDKs 

• Certificates 



TLS protocol overview 
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Negotiation of cryptographic parameters 
Authentication (one-way or mutual) using public key certificates 



Establishment of a master secret key 



Derivation of encryption and authentication keys 



Key confirmation 



Bi-direction authenticated encryptioi 
Optional compression 
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Cryptographic details 




Bi-direction authenticated encryption 
Optional compression 



Is TLS secure? 



What should TLS do? 



Server-to-client 
authentication 

Client-to-server 

authentication 

(optional) 

Confidential 
communication with 
integrity protection 



hat doesn't TLS do? 



■(Trusted creation of 
certificates) 

■ Password-based 
authentication 

■Stop denial of service 
attacks 



Prevent web application 
vulnerabilities 



Mathematically... 



After 10+ years of cryptographic research, we know that: 

■ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA ciphersuite running 
in TLSvl.2 is a secure authenticated and confidential channel 
establishment protocol assuming 

■ TLS PRF is secure 

■ DSA is existentially unforgeable under chosen message attack 

■ variant of oracle Diffie-Hellman assumption 

■ record layer encryption is secure stateful length-hiding authenticated 
encryption (sLHAE) 



Components of TLS 




ECDSA 

Diffie-Hellman, 
ECDH 

•HMAC 

»MD5,SHA1, 
SHA-2 

• DES, 3DES, RC4, 
AES 



• Data structures 
Key derivation 
Encryption 
modes, IVs 
Padding 
Compression 



Protocol 
"framework" 



• Alerts & errors 
Certification / 
revocation 
Negotiation 

• Renegotiation 

• Session 
resumption 




OpenSSL 
•GnuTLS 
•SChannel 
•JavaJSSE 



• Web browsers: 
Chrome, Firefox, 
IE, Safari 

• Web servers: 
Apache, IIS, .. 

Application 
SDKs 

• Certificates 



The gap between theory & practice 



Crypto 
primitives 



Lucky 



• RSA, DSA, 
ECDSA 

Diffie-Hellman, 
ECDH 

•HMAC 

•MD5,SHA1, 
SHA-2 

• DES, 3DES, RC4, 
AES 



Rizzo & Duong 
'BEAST" attack 



ures 
deff ytion 
• Encryption 
modes, IVs 
•Padding 
•Compression 




Rizzo & Duong 
"CRIME" attack 



Bleichenbachi 
RSA PKCf 



• Alerts & errors 

• Certification / 
revocation 

• Negotiation 

• Renegotiati 

• Sessio^^ 



Ray & Dispensa 

renegotiation 

attack 



Debian 

OpenSS" 

entropy bug 



• OpenSSL 
•GnuTLS 
•SChannel 
•JavaJSSE 



Applications 





• Web browsers: 
Chrome, Firefox, 
IE, Safari 

• Web servers 
Apache, l| 

Application 
SDKs 

Certificates ^jM^ 




Esoteric features - renegotiation 



Allows parties to update 
an existing TLS session 
to get a new key or 
change authentication 

Attacker can inject a 
packet before 
legitimate traffic 

Nov. 2009 

Fix: disable 
renegotiation or 
upgrade 



Renegotiation Support 

Secure renegotiation 

138,559 80.8% 

+ 0.5 % 

Insecure renegotiation 

14,884 8.7% 

- 0.3 % 

Both 

1,927 1.1% 
+ o.o % 

No support 

16,137 9.4% 

-0.3% 

https://www.trustworthyinternet.org/ssl-pulse/ May 7, 2013 




Esoteric features - compression 




TLS supports optional 
compression 

Message broken up into 
chunks, each chun 
compressed then 

Size of ciphertext 
= > amount of com 
= > leaks plaintext 

"CRIME" attack, Sept. 2012 

Fix: disable compression 



TLS Compression / CRIME 




Sites that support 
TLS compression 

41 ,386 

- 2.4 % 



H 



https://www.trustworthyinternet.org/ssl-pulse/ May 7, 2013 



Certificate authority breaches and errors 



DigJNotar in Jul. 2011 

■ security breach, malicious certificates 
for many domains issued 

■ went out of business 
TURKTRUST in Aug, 2011 

■ issued intermediate CA with wildcard 
signing capabilities 

■ later used for man-in-the-middle proxy 
filtering/scanning 

■ no evidence for use in attack 

■ detected only in Jan 2013 

Digicert Malaysia in Nov, 2011 

■ 22 certificates with weak private keys 
or missing revocation details issued 

KPN/Getronics in Nov. 2011 

■ suspended CA business after detecting 
infection on its web server no evidence 
of certificate malfeasance 



Web browsers trust 
650+ certificate 
authorities which can 
issue certificates for 
any domain on the 
Internet 

Extended validation 
certificates don't solve 
the problem 



Certificate validation in SDKs 




... but didn't properly 
use certificate 
validation. 

= > Any valid 
certificate would be 
accepted as "valid" by 
PayPal SDK (any many 
others) 

Most fixed 

https://crypto.stanford.edu/~dabo/ 
pu bs/ a bstracts/ss l-client-bugs.htm I 



Cryptographic attacks 




Improving TLS 



Good server configurations can make TLS 
more secure right now . 



Solutions for improving control over 
certificates are coming soon . 



User authentication is not here yet. 



Deploy fixes against known attacks 




Upgrade to latest web server versions to fix: 



BEAST, renegotiation attacks 



Turn off compression in SSL/TLS to fix CRIME attack 
Prefer AES-CBC mode or TLSvl.2 



Elliptic curve cryptography 



Offers the same 
cryptographic security 
with smaller keys and 
better performance 

RSA 2048-bit: 
200 signs/sec 

ECDSA 256-bit: 

4500 signs/sec 






Browser: modern ones 

Servers: modern ones 

Few CAs support 
elliptic curve public 
keys 

Part of NIST Suite B 



Ephemeral Diffie-Hellman 



irrpq 



Provide perfect 
forward secrecy in 
TLS handshake key 
agreement 

If your certificate's 
private key is every 
compromised, 
attackers can't 
decrypt past 
communications 







this 



Browsers: all 
Web servers: all 

Cost: slower server 
performance 

■ But with elliptic curves 
not much slower: 

1 +l-5ms/connection 

■ 

default ciphersuite 

SSLCipherSuite ECDHE-RSA-RC4 
SHA: HIGH : ... 






Key size, SHA-2, SHA-3 & NIST Suite B 



RSA: 1024-bit keys 
shouldn't be used any 
more 



RSA: 2048-bit keys 
good for a while 

SHA-2: Good choice 

SHA-3: Not needed for 
the foreseeable future 




NIST Suite B : TLS 1.2 + 
AES + SHA-2 + elliptic 
curve public keys 

Required for US 
national security 
systems use after 2015 

■ Few servers support TLS 
1.2 

■ Few CAs support elliptic 
curve public keys 



HTTP Strict Transport Security 



Declare that your 
website should always 
be accessed over 
HTTPS 

Next time, supporting 
browsers will always 
request 

https://www.yoursite.com/ 

no matter what the 
user types or the link 
says 




Standardized: 
RFC 6797 

Browser support: 
Chrome, Firefox, 
Opera 

Server support: easy, 
just add a custom 
HTTP header 

■ LoadModule headers_module modules/ 
mod_headers . so 

■ <VirtualHost 10 . . . 1 :443> 

■ Header always set Strict-Transport-Security 
" max -age=3 153 6000; i ncludeSubDomai ns" 

■ </Vi rtualHost> 



Certificate pinning and tacking 



Pinning : you can 
declare that your site 
will only use keys 
signed by X for the 
next Y time period 

E.g. used by Google 
Chrome for a few 
years, used to detect 
DigiNotar breach 






Not standardized; 

competing(?) 

techniques 

Pinning: supported by 
Chrome; easy to do on 
a web server 

Tacking: no support 
yet 



DANE: DNS-based Authentication of 

Named Entities 



[TTPJJ 



Store sites' public 
keys in DNS records 

Retrieve 

authentically via 
DNSSEC 

Replaces X.509 CAs 
entirely but now has 
a single root of trust 
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Standardized -> 

Browser support: 
Chrome, Firefox 
extension 



Requires DNSSEC 
infrastructure and 
support (not .au), 
plus server setup 




User authentication 



%// 



TLS today only does 
client-to-server 
authentication based 
on public-key 
certificates. 

No native support for 
single sign-on or 
password-based 
authentication. 



HTTP working 
group looking for 
secure password 
authentication 
protocols. 

■ Possible to 
cryptographically protect 
password authentication 
so it's secure even in the 
face of phishing. 



On the security of SSL/TLS 

Dr Douglas Stebila • Queensland University of Technology, Brisbane 



Transport Layer Security 



Essential for server-to- 
client authentication and 
confidential 
communication on the 
web and elsewhere. 

Relies heavily on public 
key certificates. 

Complex cryptographic 
protocol with many 
options. 





Staying secure 





Cryptographic security of 
TLS constantly evolving. 

Update servers to get fixes 
for recent attacks. 

Better certificate 
management coming soon 
(pinning, DANE). 

Visit webcryptography.org in 
a few weeks' time for a 
clearinghouse on TLS and 
web cryptography. 



